Content Decisions - Not a CVE Vulnerability
-------------------------------------------
Each of these content decisions describes characteristics of some
"vulnerabilities" that technically satisfy the CVE vulnerability
definition, but still should not be considered a CVE vulnerability.
I propose that if a candidate has one of these characteristics, it
should not be placed into the CVE.
If we agree to these content decisions, then some of the candidates
listed in the upcoming NOVULN cluster should be REJECTed.
1) "Beta or alpha software is not a CVE vulnerability." (Beta Code
Exception)
A beta or alpha version of software can not be associated with a CVE
vulnerability, *unless* the beta version is the only version that is
expected to be available. Beta and alpha software are universally
understood to have flaws of all kinds, and typically do not appear in
an operational environment - but they may appear more frequently in an
academic or research environment. So, Windows NT 4.0 beta - while it
has security flaws - does not contain CVE vulnerabilities. However,
ICQ is only available as a series of beta programs, so it may contain
CVE vulnerabilities.
2) "Compromise by an extended Brute Force attack is not a CVE
vulnerability." (Brute Force Exception)
If a state in a computing system can only be compromised by a brute
force attack that could in the average case take longer than one week
on an average desktop CPU, then it is not a CVE vulnerability.
Obviously, it's hard to quantify how much "brute force" is sufficient
to say that a particular design choice does not contain a
vulnerability, and perhaps it should be considered on a per-case
basis. Example: an 8-character Unix password could be guessed by
brute force within days or weeks using a large number of machines, but
we probably won't consider that a vulnerability; but if a PGP key can
be cracked within the same time using the same resources, we probably
would.
3) "A denial of service in a client that is easy to recover from, is
not a CVE vulnerability." (Client-Side Denial of Service Exception)
If client-side software can be subjected to a denial of service for a
user alone, but the denial of service only affects that application,
and the user can easily recreate the state which that software was in
before the attack, then that software does not contain a CVE
vulnerability. Example: many attacks on browsers, where the attack
causes the browser to hang or spawn extra windows; a user can be
forced out of an IRC channel; a user can be flooded with Instant
Messenger messages; etc. Note, though, that bugs in these same
applications which allow an attacker to crash the client's machine or
allow the attacker to gain access, would still qualify as CVE
vulnerabilities.
This exception clearly reflects a bias towards the enterprise here, as
it excludes most denials-of-service in chat programs and other
interactive, "social" online activities, like ICQ, Instant Messenger,
IRC, and web browsers. In my opinion, this type of denial of service
problem is more of an inconvenience than a security risk.